With increasing cyberthreat, it’s imperative that engineers embed cybersecurity principles into their design processes from the outset. This means thinking beyond traditional design parameters and building for resilience, survivability, and operational integrity. 

As engineers build increasingly complex systems ranging from autonomous machines and embedded sensors to cloud-connected infrastructure, cybersecurity must become a core design consideration, not an afterthought. In a world where nearly every device connects to a network, the line between physical and digital risk has faded. Engineering designs have become more susceptible to cyberattack, culminating in potential danger to livelihoods and the environment.

Cyberthreats have the power to undermine the very foundations of a system’s design. They can disrupt the confidentiality of sensitive data, compromise the integrity of physical processes, and interrupt the availability of essential services. The consequences of a breach can be far-reaching, including service outages, safety hazards, financial loss, reputational damage, and in some cases, even harm to human life.

Consider the 2021 ransomware attack on the Colonial Pipeline, a US pipeline that distributes petroleum products primarily in the Southeast. A single compromised password shut down a key part of the US energy supply chain. The fault wasn’t mechanical or structural; it was digital. The Colonial Pipeline attack was preceded by a cyberattack in 2015 on the power grid in Ukraine, which cut electricity to nearly 250,000 Ukrainians by using remote control software to trip breakers. A second attack on that same grid in 2016 was performed using malware that directly manipulated SCADA control systems. For engineers, the takeaway is clear—even a system that performs flawlessly under normal conditions is vulnerable if it can be manipulated, shut down, or held hostage from the outside.

To safeguard their work and the people who rely on it, engineers should embed cybersecurity principles into their design processes from the outset. This means thinking beyond traditional design parameters and building for resilience, survivability, and operational integrity. As technology continues to evolve, engineers will increasingly bear ethical and professional responsibility not just for how systems function, but for how they defend against threats.

The Engineering Imperative for Cybersecurity

The US Cybersecurity and Infrastructure Security Agency (CISA) defines cybersecurity as the practice of protecting networks, devices, and data from unauthorized access or criminal use. This has direct implications for engineering, which involves creating digital representations of designs using tools, models, data, and artificial intelligence. Engineering disciplines support product development across various areas such as power grids, water treatment plants, communication systems, roadways and other infrastructure, autonomous vehicles, robotics, and AI-driven control systems. Protecting the confidentiality, integrity, and availability of engineering tools, as well as the product’s proprietary intellectual property, critical public infrastructure, and complex connections to cloud services, mobile interfaces, and IoT devices, is essential

The current cyberthreat landscape is diverse and rapidly evolving. A single breach can leak sensitive schematics or bring down systems relied on by thousands. This threat landscape continues to evolve. Engineers now face challenges such as phishing schemes that deceive users into revealing credentials, ransomware attacks that cripple systems until a ransom is paid, compromised devices on the Internet of Things (IoT), and vulnerabilities within third-party components acquired via global supply chains. With the accelerating pace of technological innovation, the scope and complexity of these risks will only increase. In this environment, security must be considered a key part of system reliability and safety.

Building Cybersecurity Into Engineering Practice

Cybersecurity can’t be bolted on after the fact and should be part of the plan from day one. To meet these challenges, engineers must integrate security deeply into their workflows rather than treating it as an afterthought. This includes encrypting sensitive data both at rest and in transit, controlling access strictly to authorized personnel, and ensuring that software and firmware are kept current with patches.

Traditional failure modes, like a cracked shaft or a burnt-out motor, are often visible and diagnosable. But cyber failures can be silent, hidden in malicious firmware updates or exposed application program interfaces (APIs). A "secure by design" mindset includes threat modeling, risk assessments, and code reviews during development. The zero trust model, where no user or device is assumed trustworthy by default, is especially valuable in today’s connected systems.

Frequent training matters, too. Engineers and other team members must stay informed about the latest threats and best practices. Even the most secure architecture can be undermined by a phishing email or misconfigured access setting. Engineering teams should receive regular updates on emerging threats and best practices. Promoting a "security-aware" culture across departments can eliminate common risks like default passwords, unvalidated inputs, exposed debug ports, or exposed APIs.

But engineers also need to plan for when things go wrong. What happens if a component is compromised—does the failure spread or stay isolated? Can the system continue operating safely? How quickly can we detect, contain, and recover from an attack? Regular penetration testing, network audits, and disaster recovery drills are just as vital as stress tests or thermal simulations. Maintaining secure backups and regularly testing disaster recovery protocols ensures rapid restoration following incidents.
Ethics, Law, and the Engineer’s Duty

Cybersecurity is more than a technical challenge; it’s a professional obligation. Engineers are expected to protect the public, maintain safe systems, and act in accordance with industry regulations and legal requirements. As such, there is an ethical duty to secure confidential information, proprietary technology, and personal data.

Protecting intellectual property, such as technical drawings, algorithms, and unique processes, is a firm’s responsibility to clients, collaborators, and society. The unauthorized disclosure or theft of this information can cause serious harm, both financially and reputationally.

When an incident occurs, honesty and transparency matter. The incident response should include prompt communication with internal stakeholders, regulators, customers, and end-users. Clear communication regarding a breach’s scope demonstrates accountability and respect for those impacted. Beyond satisfying legal requirements, such openness builds trust and signals a firm’s commitment to integrity.

Neglecting cybersecurity can result in regulatory penalties, lawsuits, and loss of public confidence. Responsible engineering today includes being proactive about security and ready to respond when something goes wrong. Firms must ensure that the systems they design, build, and manage do not expose users or society to preventable risks. Ethical cybersecurity practice includes being proactive about security, continuously assessing one’s own readiness, and being equipped to respond when an event does occur.

New Technology, New Risk

With technologies like AI, machine learning, cloud, and IoT/edge computing becoming standard, systems are more capable, but also more complex. Complexity often means more potential vulnerabilities. Each sensor, API, or cloud connection increases a system’s attack surface.

Secure design includes everything from architecture choices and secure coding practices to rigorous vetting of third-party components. The consideration of these factors is essential in mitigating the associated risks. When incorporating these attack surfaces, engineers must think critically about every interface. What does this device do if it’s compromised? How is communication encrypted and authenticated? What fail safes are in place?

Moving Toward a Resilient Culture

Cybersecurity isn’t the job of one specialist or department. Engineering organizations should clearly define roles and accountability for cybersecurity. They should also allocate resources for tools, audits, and outside expertise as well as provide continuous training for engineers at all levels. They should also consider risk in their overall system design and testing. Cyber insurance and incident response planning are also important tools to be used.

Cybersecurity should not be viewed as a hurdle to innovation, but as an enabler of safe, sustainable progress. Engineers who integrate security thinking into their work help ensure that their contributions are not only functional and efficient, but also safe, trustworthy, and resilient. Cybersecurity might feel like someone else’s job, but if you built it, you’re responsible for protecting it.
Secure Systems Are Built on Trust

Cyberthreats are no longer abstract or rare, they’re part of the everyday operating environment for engineers. By integrating cybersecurity into design, testing, and operations, engineers fulfill both a technical and an ethical duty. As we shape the future through technology, engineers must stay alert to the invisible threats that come with it. Strong, secure systems aren’t just high performing, they’re built on trust. And that trust starts with cybersecurity.

PROTECTING PEOPLE, SYSTEMS, AND INFRASTRUCTURE

NICET (NSPE’s certification division) has launched a Systems Software Integrator (SSI) certification program. The purpose of the certification is to provide a common standard of care to reduce risk, improve quality, and ensure public safety as software and information technology converges with the operation of physical processes and machinery affecting society.

More frequently than ever, software controls critical physical systems. These cyberphysical integrations must be executed with rigorous adherence to guiding principles and best practices that ensure reliable and secure systems. SSI professional certification can be a key part of the solution.

Who Should Apply for Certification

If your work involves bridging hardware and software, managing system risks, ensuring compliance, and protecting infrastructure from cybersecurity threats, this credential will validate your expertise and elevate your role in the industry. The general requirements for certification candidates are the following: Three years of experience with a bachelor’s degree or higher or six years of experience with a high school diploma or equivalent.

Threats That Systems Software Integrators Work to Mitigate

Decentralized responsible-in-charge. More than two dozen SSI duties are being handled by nine different job titles according to NSPE research. In too many environments, no single person is responsible for secure integration of systems. The certified SSI professional becomes that single point of contact, with stop-work authority, for certifying compliance and securing the software supply chain end-to-end.

Exponential growth in cyberattacks. Cybersecurity must be a consideration in any critical system. Attacks are now an everyday reality that threaten even the most highly secure systems across all sectors. SSIs are professionals who use proper methodologies to secure systems with proper fallback and recovery systems.

Increased reliance on AI. AI serves as a powerful tool to advance industry faster than ever. But with that power comes questions about efficacy, safety, security, and ethics. SSI professionals demonstrate a commitment to stay current with the rapidly developing AI landscape.

Decentralized source code. Opensource software (OSS) makes up much of the sub-components of large software systems. This creates incredible efficiencies and savings, but also potential vulnerabilities that an SSI is adept at managing. A certified SSI has the acumen to attest to a software bill of materials (SBOM) and to ensure zero trust architecture.

Obsolescence of siloed systems. Software is increasingly incorporated into smart operational technology (OT) systems. An informed and qualified SSI guards against potential failure of services through a comprehensive testing plan that ensures all system components are thoroughly tested to meet security, performance, and compliance requirements before deployment.

SSI Certification Now Available

Forward-looking organizations can protect their people, infrastructure, and reputation by supporting SSI certification for professionals involved in cyberphysical systems integration. The Systems Software Integrator (SSI) exam will be available beginning April 6, 2026, providing a new credential for professionals responsible for integrating software into complex operational systems.

Applications are currently being accepted, and through March the application fee is discounted to $75 (regularly $490). Be among the first professionals recognized for expertise in integrating software with the systems that modern infrastructure depends on.
 

Learn more about the SSI certification program on the NICET website.